Add safeguard against integer overflow

Author: jotaen

.github/benchmark.go

@@ -25,6 +25,10 @@ func main() {
 	// Generate records
 	date := klog.Ɀ_Date_(0, 1, 1)
 	for i := 0; i < iterations; i++ {
+		if date.IsEqualTo(klog.Ɀ_Date_(9999, 12, 31)) {
+			// Prevent date overflow
+			date = klog.Ɀ_Date_(0, 1, 1)
+		}
 		date = date.PlusDays(1)
 		r := klog.NewRecord(date)
 

klog/date.go

@@ -98,7 +98,7 @@ func NewDateFromGo(t gotime.Time) Date {
 	d, err := NewDate(t.Year(), int(t.Month()), t.Day())
 	if err != nil {
 		// This can/should never occur
-		panic("ILLEGAL_DATE")
+		panic("Illegal date")
 	}
 	return d
 }

klog/duration.go

@@ -3,6 +3,7 @@ package klog
 import (
 	"errors"
 	"fmt"
+	"github.com/jotaen/klog/klog/service/safemath"
 	"regexp"
 	"strconv"
 )
@@ -49,7 +50,12 @@ func NewDuration(amountHours int, amountMinutes int) Duration {
 }
 
 func NewDurationWithFormat(amountHours int, amountMinutes int, format DurationFormat) Duration {
-	return &duration{minutes: amountHours*60 + amountMinutes, format: format}
+	hoursToMins, err1 := safemath.Multiply(amountHours, 60)
+	totalMins, err2 := safemath.Add(hoursToMins, amountMinutes)
+	if err1 != nil || err2 != nil {
+		panic("Integer overflow")
+	}
+	return &duration{minutes: totalMins, format: format}
 }
 
 type duration struct {
@@ -69,11 +75,15 @@ func (d duration) InMinutes() int {
 }
 
 func (d duration) Plus(additional Duration) Duration {
-	return NewDuration(0, d.InMinutes()+additional.InMinutes())
+	mins, err := safemath.Add(d.InMinutes(), additional.InMinutes())
+	if err != nil {
+		panic("Integer overflow")
+	}
+	return NewDuration(0, mins)
 }
 
 func (d duration) Minus(deductible Duration) Duration {
-	return NewDuration(0, d.InMinutes()-deductible.InMinutes())
+	return d.Plus(NewDuration(0, deductible.InMinutes()*-1))
 }
 
 func (d duration) ToString() string {
@@ -129,9 +139,15 @@ func NewDurationFromString(hhmm string) (Duration, error) {
 	if match[3] == "" && match[5] == "" {
 		return nil, errors.New("MALFORMED_DURATION")
 	}
-	amountOfHours, _ := strconv.Atoi(match[3])
-	amountOfMinutes, _ := strconv.Atoi(match[5])
-	if amountOfHours != 0 && amountOfMinutes >= 60 {
+	amountOfHours, a1Err := strconv.Atoi(match[3])
+	if match[3] != "" && a1Err != nil {
+		panic(a1Err)
+	}
+	amountOfMinutes, a2Err := strconv.Atoi(match[5])
+	if match[5] != "" && a2Err != nil {
+		panic(a2Err)
+	}
+	if match[3] != "" && amountOfMinutes >= 60 {
 		return nil, errors.New("UNREPRESENTABLE_DURATION")
 	}
 	if amountOfHours == 0 && amountOfMinutes == 0 && match[1] != "" {

klog/duration_test.go

@@ -2,27 +2,33 @@ package klog
 
 import (
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"testing"
 )
 
 func TestSerialiseDurationOnlyWithMeaningfulValues(t *testing.T) {
 	assert.Equal(t, "0m", NewDuration(0, 0).ToString())
 	assert.Equal(t, "1m", NewDuration(0, 1).ToString())
+	assert.Equal(t, "34m", NewDuration(0, 34).ToString())
+	assert.Equal(t, "59m", NewDuration(0, 59).ToString())
+	assert.Equal(t, "1h", NewDuration(1, 0).ToString())
 	assert.Equal(t, "15h", NewDuration(15, 0).ToString())
-}
-
-func TestSerialiseDurationOfLargeHourValues(t *testing.T) {
+	assert.Equal(t, "15h3m", NewDuration(15, 3).ToString())
 	assert.Equal(t, "265h45m", NewDuration(265, 45).ToString())
+	assert.Equal(t, "4716278h48m", NewDuration(4716278, 48).ToString())
+	assert.Equal(t, "153722867280912930h7m", NewDuration(0, 9223372036854775807).ToString())
 }
 
 func TestSerialiseDurationWithoutLeadingZeros(t *testing.T) {
 	assert.Equal(t, "2h6m", NewDuration(2, 6).ToString())
 }
 
 func TestSerialiseDurationOfNegativeValues(t *testing.T) {
+	assert.Equal(t, "-2h4m", NewDuration(-2, -4).ToString())
 	assert.Equal(t, "-3h18m", NewDuration(-3, -18).ToString())
-	assert.Equal(t, "-3h", NewDuration(-3, 0).ToString())
+	assert.Equal(t, "-812747h", NewDuration(-812747, 0).ToString())
 	assert.Equal(t, "-18m", NewDuration(0, -18).ToString())
+	assert.Equal(t, "-153722867280912930h7m", NewDuration(0, -9223372036854775807).ToString())
 }
 
 func TestSerialiseDurationWithSign(t *testing.T) {
@@ -70,13 +76,19 @@ func TestParsingDurationWithHoursAndMinutes(t *testing.T) {
 }
 
 func TestParsingDurationWithHourValueOnly(t *testing.T) {
-	for _, d := range []string{
-		"13h",
-		"13h0m",
+	for _, d := range []struct {
+		text   string
+		expect Duration
+	}{
+		{"0h", NewDuration(0, 0)},
+		{"1h", NewDuration(1, 0)},
+		{"13h", NewDuration(13, 0)},
+		{"9882187612h", NewDuration(9882187612, 0)},
+		{"13h0m", NewDuration(13, 0)},
 	} {
-		duration, err := NewDurationFromString(d)
+		duration, err := NewDurationFromString(d.text)
 		assert.Nil(t, err)
-		assert.Equal(t, NewDuration(13, 0), duration)
+		assert.Equal(t, d.expect, duration)
 	}
 }
 
@@ -85,12 +97,16 @@ func TestParsingDurationWithMinuteValueOnly(t *testing.T) {
 		text   string
 		expect Duration
 	}{
+		{"1m", NewDuration(0, 1)},
 		{"48m", NewDuration(0, 48)},
+		{"59m", NewDuration(0, 59)},
+
 		{"0h48m", NewDuration(0, 48)},
 
 		// Minutes >60 are okay if there is no hour part present
+		{"60m", NewDuration(1, 0)},
 		{"120m", NewDuration(2, 0)},
-		{"150m", NewDuration(2, 30)},
+		{"568721940327m", NewDuration(0, 568721940327)},
 	} {
 		duration, err := NewDurationFromString(d.text)
 		assert.Nil(t, err)
@@ -131,7 +147,7 @@ func TestParsingFailsWithInvalidValue(t *testing.T) {
 		"6h asdf",
 		"qwer 30m",
 		"⠙⠛m",   // Braille digits
-		"四二h",   // Japanese digits
+		"四二h", // Japanese digits
 		"᠒h᠐᠒m", // Mongolean digits
 	} {
 		duration, err := NewDurationFromString(d)
@@ -143,6 +159,7 @@ func TestParsingFailsWithInvalidValue(t *testing.T) {
 func TestParsingFailsWithMinutesGreaterThan60WhenHourPartPresent(t *testing.T) {
 	for _, d := range []string{
 		"1h60m",
+		"0h60m",
 		"8h1653m",
 		"-8h1653m",
 	} {
@@ -151,3 +168,72 @@ func TestParsingFailsWithMinutesGreaterThan60WhenHourPartPresent(t *testing.T) {
 		assert.Equal(t, nil, duration)
 	}
 }
+
+func TestParsingDurationWithMaxValue(t *testing.T) {
+	t.Run("max", func(t *testing.T) {
+		d, err := NewDurationFromString("9223372036854775807m")
+		require.Nil(t, err)
+		assert.Equal(t, NewDuration(0, 9223372036854775807), d)
+	})
+	t.Run("max", func(t *testing.T) {
+		d, err := NewDurationFromString("153722867280912930h7m")
+		require.Nil(t, err)
+		assert.Equal(t, NewDuration(153722867280912930, 7), d)
+	})
+	t.Run("min", func(t *testing.T) {
+		d, err := NewDurationFromString("-9223372036854775807m")
+		require.Nil(t, err)
+		assert.Equal(t, NewDuration(0, -9223372036854775807), d)
+	})
+	t.Run("max", func(t *testing.T) {
+		d, err := NewDurationFromString("-153722867280912930h7m")
+		require.Nil(t, err)
+		assert.Equal(t, NewDuration(-153722867280912930, -7), d)
+	})
+}
+
+func TestParsingDurationTooBigToRepresent(t *testing.T) {
+	for _, d := range []string{
+		"9223372036854775808m",
+		"-9223372036854775808m",
+		"9223372036854775808h",
+		"-9223372036854775808h",
+		"153722867280912930h08m",
+		"-153722867280912930h08m",
+	} {
+		assert.Panics(t, func() {
+			_, _ = NewDurationFromString(d)
+		}, d)
+	}
+}
+
+func TestDurationPlusMinus(t *testing.T) {
+	for _, d := range []struct {
+		sum    Duration
+		expect int
+	}{
+		{NewDuration(0, 0).Plus(NewDuration(0, 0)), 0},
+		{NewDuration(0, 0).Plus(NewDuration(0, 1)), 1},
+		{NewDuration(0, 0).Plus(NewDuration(1, 2)), 62},
+		{NewDuration(1382, 9278).Plus(NewDuration(4718, 5010)), 380288},
+		{NewDuration(0, 9223372036854775806).Plus(NewDuration(0, 1)), 9223372036854775807},
+		{NewDuration(0, 0).Plus(NewDuration(0, -9223372036854775807)), -9223372036854775807},
+
+		{NewDuration(0, 0).Minus(NewDuration(0, 0)), 0},
+		{NewDuration(0, 0).Minus(NewDuration(0, 1)), -1},
+		{NewDuration(0, 0).Minus(NewDuration(1, 2)), -62},
+		{NewDuration(1382, 9278).Minus(NewDuration(4718, 5010)), -195892},
+	} {
+		assert.Equal(t, d.sum.InMinutes(), d.expect)
+	}
+}
+
+func TestPanicsIfAdditionOverflows(t *testing.T) {
+	assert.Panics(t, func() {
+		NewDuration(0, 9223372036854775807).Plus(NewDuration(0, 1))
+	})
+
+	assert.Panics(t, func() {
+		NewDuration(0, -9223372036854775807).Plus(NewDuration(0, -1))
+	})
+}

klog/parser/engine/parallel.go

@@ -23,7 +23,7 @@ type batchResult[T any] struct {
 
 func (p ParallelBatchParser[T]) Parse(text string) ([]T, []txt.Block, []txt.Error) {
 	if p.NumberOfWorkers <= 0 {
-		panic("ILLEGAL_WORKER_SIZE")
+		panic("Illegal number of workers")
 	}
 	batches := splitIntoChunks(text, p.NumberOfWorkers)
 	allResults := p.processAsync(batches, func(batchIndex int, batchText string) batchResult[T] {

klog/parser/reconciling/start_open_range.go

@@ -14,7 +14,7 @@ func (r *Reconciler) StartOpenRange(startTime klog.Time, format ReformatDirectiv
 		// Re-parse time to apply format.
 		reformattedTime, err := klog.NewTimeFromString(startTime.ToStringWithFormat(f))
 		if err != nil {
-			panic("INVALID_TIME")
+			panic("Invalid time")
 		}
 		startTime = reformattedTime
 	})

klog/parser/reconciling/style.go

@@ -133,7 +133,7 @@ func ascertain[T comparable](e *election[T], defaultStyle styleProp[T]) stylePro
 // `base` style that had been set explicitly take precedence.
 func elect(base style, rs []klog.Record, bs []txt.Block) *style {
 	if len(rs) != len(bs) {
-		panic("ASSERTION_ERROR")
+		panic("Internal error")
 	}
 	lineEndingElection := newElection[string]()
 	indentationElection := newElection[string]()

klog/service/safemath/add.go

@@ -0,0 +1,22 @@
+package safemath
+
+// Add calculates the sum of two integers.
+// It returns an error if the resulting integer would overflow.
+func Add(a int, b int) (int, error) {
+	err := assertOperandInRange(a, b)
+	if err != nil {
+		return 0, err
+	}
+
+	if b > 0 {
+		if a > MaxInt-b {
+			return 0, OverflowErr
+		}
+	} else {
+		if a < MinInt-b {
+			return 0, OverflowErr
+		}
+	}
+
+	return a + b, nil
+}

klog/service/safemath/add_test.go

@@ -0,0 +1,61 @@
+package safemath
+
+import (
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestAddNonOverflowing(t *testing.T) {
+	for _, x := range []OpRes{
+		{0, 0, 0},
+
+		{0, 1, 1},
+		{0, 42, 42},
+		{0, MaxInt, MaxInt},
+
+		{0, -1, -1},
+		{0, -42, -42},
+		{0, MinInt, MinInt},
+
+		{42, 42, 84},
+		{1500000, 1500000, 3000000},
+
+		{MaxInt / 2, MaxInt/2 + 1, MaxInt},
+		{MinInt / 2, MinInt/2 - 1, MinInt},
+
+		{MaxInt, -1, MaxInt - 1},
+		{MinInt, 1, MinInt + 1},
+	} {
+		t.Run(fmt.Sprintf("%d %d (original)", x.a, x.b), func(t *testing.T) {
+			res, err := Add(x.a, x.b)
+			assert.Nil(t, err)
+			assert.Equal(t, x.res, res)
+		})
+		t.Run(fmt.Sprintf("%d %d (commutative)", x.b, x.a), func(t *testing.T) {
+			res, err := Add(x.b, x.a)
+			assert.Nil(t, err)
+			assert.Equal(t, x.res, res)
+		})
+	}
+}
+
+func TestAddOverflowing(t *testing.T) {
+	for _, x := range []OpErr{
+		{1, MaxInt},
+		{-1, MinInt},
+		{MaxInt, MaxInt},
+		{MaxInt/2 + 1, MaxInt/2 + 1},
+	} {
+		t.Run(fmt.Sprintf("%d %d (original)", x.a, x.b), func(t *testing.T) {
+			res, err := Add(x.a, x.b)
+			assert.Error(t, err)
+			assert.Equal(t, 0, res)
+		})
+		t.Run(fmt.Sprintf("%d %d (commutative)", x.b, x.a), func(t *testing.T) {
+			res, err := Add(x.b, x.a)
+			assert.Error(t, err)
+			assert.Equal(t, 0, res)
+		})
+	}
+}

klog/service/safemath/constants.go

@@ -0,0 +1,33 @@
+package safemath
+
+import (
+	"errors"
+	"math"
+)
+
+var (
+	OverflowErr = errors.New("overflow")
+
+	// MaxInt represents the largest possible (positive) integer value.
+	MaxInt = math.MaxInt
+	// MinInt represents the smallest possible (negative) integer value.
+	// It doesn’t fully exhaust the theoretical range, to be in line with the
+	// MaxInt range, and to allow inverting values without worry.
+	MinInt = math.MinInt + 1
+)
+
+func assertOperandInRange(xs ...int) error {
+	for _, x := range xs {
+		if x < MinInt {
+			return OverflowErr
+		}
+	}
+	return nil
+}
+
+func abs(x int) int {
+	if x < 0 {
+		return -1 * x
+	}
+	return x
+}